1. add almaty install_config and deploy.yml file 2. change tfe rpm package

2020-10-28 09:41:43 +06:00
parent bda0faa7ff
commit 590ab35b0d
17 changed files with 640 additions and 6 deletions
--- a/Almaty_deploy.yml
+++ b/Almaty_deploy.yml
@@ -0,0 +1,145 @@
+- hosts:
+    - adc_mcn0
+    - adc_mcn1
+    - adc_mcn2
+    - adc_mcn3
+    - packet_dump_server
+  remote_user: root
+  vars_files:
+    - Almaty_install_config/group_vars/adc_global.yml
+  roles:
+    - framework
+
+- hosts: packet_dump_server
+  remote_user: root
+  vars_files:
+    - Almaty_install_config/group_vars/adc_global.yml
+  roles:
+    - packet_dump
+
+- hosts: adc_mxn
+  remote_user: root
+  roles:
+#    - tsg-env-mxn
+
+- hosts: adc_mcn0
+  remote_user: root
+  vars_files:
+    - Almaty_install_config/group_vars/adc_global.yml
+    - Almaty_install_config/group_vars/adc_mcn0.yml
+  roles:
+#    - tsg-env-mcn0
+    - telegraf_collect
+    - kernel-ml
+    - mrzcpd
+    - sapp
+    - tsg_master
+    - kni
+    - firewall
+#    - tsg_app
+    - http_healthcheck
+    - redis
+    - cert-redis
+    - certstore
+    - telegraf_statistic
+#    - tsg_device_tag
+
+- hosts: adc_mcn1
+  remote_user: root
+  vars_files:
+    - Almaty_install_config/group_vars/adc_global.yml
+    - Almaty_install_config/group_vars/adc_mcn1.yml
+  roles:
+#    - tsg-env-mcn1
+    - telegraf_collect
+    - kernel-ml
+    - mrzcpd
+    - tfe
+
+- hosts: adc_mcn2
+  remote_user: root
+  vars_files:
+    - Almaty_install_config/group_vars/adc_global.yml
+    - Almaty_install_config/group_vars/adc_mcn2.yml
+  roles:
+#    - tsg-env-mcn2
+    - telegraf_collect
+    - kernel-ml
+    - mrzcpd
+    - tfe
+
+- hosts: adc_mcn3
+  remote_user: root
+  vars_files:
+    - Almaty_install_config/group_vars/adc_global.yml
+    - Almaty_install_config/group_vars/adc_mcn3.yml
+  roles:
+    - kernel-ml
+#    - tsg-env-mcn3
+    - telegraf_collect
+    - redis
+    - maat-redis
+    - mrzcpd
+    - tfe
+
+- hosts: adc_mcn0
+  remote_user: root
+  roles:
+    - tsg-diagnose
+
+- hosts: 
+    - adc_mcn1
+    - adc_mcn2
+    - adc_mcn3
+  remote_user: root
+  roles:
+    - tsg-diagnose_sync_ca
+    
+- hosts: adc_mcn0
+  remote_user: root
+  roles:
+    - tsg-diagnose_stop_sync
+
+- hosts:
+    - adc_mcn0
+    - adc_mcn1
+    - adc_mcn2
+    - adc_mcn3
+  remote_user: root
+  vars_files:
+    - Almaty_install_config/group_vars/adc_global.yml
+  roles:
+    #- reboot
+
+- hosts: server-as-tun-mode
+  remote_user: root
+  vars_files:
+    - Almaty_install_config/group_vars/server_as_tun_mode.yml
+  roles:
+    - kernel-ml
+    - framework
+    - mrzcpd
+    - tsg-env-tun-mode
+    - sapp
+    - tsg_master
+    - kni
+    - firewall
+    - tsg_app
+    - http_healthcheck
+    - certstore
+    - redis
+    - cert-redis
+    - maat-redis
+    - tfe
+    - telegraf_statistic
+    - telegraf_collect
+    - proxy_status
+#    - tsg_device_tag
+    - reboot
+
+- hosts: app_global
+  remote_user: root
+  vars_files:
+    - Almaty_install_config/group_vars/app_global.yml
+  roles:
+    - app_global
--- a/Almaty_install_config/group_vars/adc_global.yml
+++ b/Almaty_install_config/group_vars/adc_global.yml
@@ -0,0 +1,123 @@
+#########################################
+#####1: Inline_device;  2: Allot;  3: ADC_Tun_mode;
+tsg_access_type: 2
+#####2: ADC;
+tsg_running_type: 2
+
+########################################
+#Deploy_finished_reboot
+Deploy_finished_reboot: 0
+
+########################################
+#IP Config
+maat_redis_city_server:
+  address: "10.3.62.253"
+  port: 7002
+
+maat_redis_server:
+  address: "192.168.100.4"
+  port: 7002
+  port_num: 1
+  db: 0
+
+dynamic_maat_redis_server:
+  address: "192.168.100.4"
+  port: 7002
+  port_num: 1
+  db: 1
+
+cert_store_server:
+  address: "192.168.100.1"
+  port: 9991
+
+log_kafkabrokers:
+  address: "10.3.61.11:9092,10.3.61.12:9092,10.3.61.13:9092,10.3.61.14:9092,10.3.61.15:9092,10.3.61.16:9092,10.3.61.17:9092,10.3.61.18:9092"
+
+telegraf_kafkabrokers:
+  address: "\"10.3.61.11:9092\",\"10.3.61.12:9092\",\"10.3.61.13:9092\",\"10.3.61.14:9092\",\"10.3.61.15:9092\",\"10.3.61.16:9092\",\"10.3.61.17:9092\",\"10.3.61.18:9092\""
+
+monitor_outputs_influxdb:
+  url: "http://127.0.0.1:58086"
+
+log_minio:
+  address: "10.3.62.253"
+  port: 9090
+
+#########################################
+#Log Level Config
+#日志等级 10:DEBUG 20:INFO 30:FATAL
+fw_ftp_log_level: 10
+fw_mail_log_level: 10
+fw_http_log_level: 10
+fw_dns_log_level: 10
+fw_quic_log_level: 10
+capture_packet_log_level: 10
+tsg_log_level: 10
+tsg_master_log_level: 10
+kni_log_level: 10
+
+#日志等级 DEBUG INFO FATAL
+tfe_log_level: FATAL
+tfe_http_log_level: FATAL
+pangu_log_level: FATAL
+doh_log_level: FATAL
+
+certstore_log_level: 30
+packet_dump_log_level: 10
+
+#######################################
+#Sapp Performance Config
+#Sapp工作在ADC计算板0时，建议使用如下30+8的配置，以保证更高的处理性能
+sapp:
+  worker_threads: 42
+  send_only_threads_max: 1
+  bind_mask: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43
+  inbound_route_dir: 1
+
+########################################
+#Kni Config
+kni:
+  global:
+    tfe_node_count: 3
+  watch_dog:
+    switch: 1
+  maat:
+    readconf_mode: 2
+  send_logger:
+    switch: 1
+  tfe_nodes:
+    tfe0_enabled: 1
+    tfe1_enabled: 1
+    tfe2_enabled: 1
+
+########################################
+#Tfe Config
+tfe:
+  nr_threads: 32
+  mirror_enable: 1
+
+########################################
+#Marsio Config
+#marsio工作在ADC计算板时，建议使用如下配置，以保证更高的处理性能
+mrzcpd:
+  iocore: 52,53,54,55
+
+mrtunnat:
+  lcore_id: 48,49,50,51 
+
+#########################################
+#Tsg_app
+tsg_app_enable: 0
+app_global_ip: "1.1.1.1"
+applog_level: 10
+app_master_log_level: 10
+app_sketch_local_log_level: 10
+app_control_plug_log_level: 10
+
+
+breakpad_upload_url: http://10.4.63.4:9000/api/2/minidump/?sentry_key=3556bac347c74585a994eb6823faf5c6
+
+data_center: Almaty
+tsg_master_entrance_id: 3
+nic_mgr: 
+   name: em1
--- a/Almaty_install_config/group_vars/adc_mcn0.yml
+++ b/Almaty_install_config/group_vars/adc_mcn0.yml
@@ -0,0 +1,41 @@
+#########################################
+#Mcn0管理口网卡名
+nic_mgr:
+  name: ens1f3
+
+#########################################
+#Mcn0流量接入网卡，固定配置
+nic_data_incoming:
+  name: ens1f4
+
+#########################################
+#Mcn0其他数据口网卡名配置，固定配置
+nic_inner_ctrl:
+  name: ens1.100
+nic_to_tfe:
+  tfe0:
+      name: ens1f5
+  tfe1:
+      name: ens1f6
+  tfe2:
+      name: ens1f7
+
+#########################################
+#串联设备接入相关配置
+inline_device_config:
+  keepalive_ip: 192.168.1.30
+  keepalive_mask: 255.255.255.252
+
+#########################################
+#Allot接入相关配置
+AllotAccess:
+  #virturlInterface_1: ens1f2.103
+  #virturlInterface_2: ens1f2.104
+  virturlID_1: 1201
+  virturlID_2: 1202
+  virturlID_3: 1301
+  virturlID_4: 1302
+  #vvipv4_mask: 24
+  #vvipv6_mask: 64
+
+bladename: mcn0
--- a/Almaty_install_config/group_vars/adc_mcn1.yml
+++ b/Almaty_install_config/group_vars/adc_mcn1.yml
@@ -0,0 +1,19 @@
+#########################################
+#Mcn1管理口网卡名
+nic_mgr:
+  name: ens1f3
+
+#########################################
+#Mcn1流量接入网卡，固定配置
+nic_data_incoming:
+  name: ens1f1
+
+#########################################
+#Mcn1其他数据口网卡名配置，固定配置
+nic_inner_ctrl:
+  name: ens1.100
+nic_traffic_mirror:
+  name: ens1f2
+  use_mrzcpd: 1
+
+bladename: mcn1
--- a/Almaty_install_config/group_vars/adc_mcn2.yml
+++ b/Almaty_install_config/group_vars/adc_mcn2.yml
@@ -0,0 +1,19 @@
+#########################################
+#Mcn2管理口网卡名
+nic_mgr:
+  name: ens8f3
+
+#########################################
+#Mcn2流量接入网卡，固定配置
+nic_data_incoming:
+  name: ens8f1
+
+#########################################
+#Mcn2其他数据口网卡名配置，固定配置
+nic_inner_ctrl:
+  name: ens8.100
+nic_traffic_mirror:
+  name: ens8f2
+  use_mrzcpd: 1
+  
+bladename: mcn2
--- a/Almaty_install_config/group_vars/adc_mcn3.yml
+++ b/Almaty_install_config/group_vars/adc_mcn3.yml
@@ -0,0 +1,19 @@
+#########################################
+#Mcn3管理口网卡名
+nic_mgr:
+  name: ens8f3
+
+#########################################
+#Mcn3流量接入网卡，固定配置
+nic_data_incoming:
+  name: ens8f1
+
+#########################################
+#Mcn3其他数据口网卡名配置，固定配置
+nic_inner_ctrl:
+  name: ens8.100
+nic_traffic_mirror:
+  name: ens8f2
+  use_mrzcpd: 1
+  
+bladename: mcn3
--- a/Almaty_install_config/group_vars/app_global.yml
+++ b/Almaty_install_config/group_vars/app_global.yml
@@ -0,0 +1,10 @@
+#########################################
+app_sketch_global_log_level: 10
+
+maat_redis_server:
+  address: "192.168.40.168"
+  port: 7002
+  db: 0
+
+file_stat_ip: "1.1.1.1"
+  
--- a/Almaty_install_config/group_vars/server_as_tun_mode.yml
+++ b/Almaty_install_config/group_vars/server_as_tun_mode.yml
@@ -0,0 +1,145 @@
+#########################################
+#####0: Pcap;  1: Inline_device;  4: ATCA_Vlan_Flipping;  5:ATCA_VXLAN;
+tsg_access_type: 1
+#####0: Tun_mode;  1: normal;
+tsg_running_type: 1
+
+########################################
+#Deploy_finished_reboot
+Deploy_finished_reboot: 1
+
+########################################
+#Server Basic Config
+nic_mgr:
+  name: eth0
+
+nic_inner_ctrl:
+  name: eth0.100
+
+#########################################
+#IP Config
+maat_redis_server:
+  address: "192.168.40.168"
+  port: 7002
+  db: 0
+
+dynamic_maat_redis_server:
+  address: "192.168.40.168"
+  port: 7002
+  db: 0
+
+cert_store_server:
+  address: "192.168.100.1"
+  port: 9991
+
+log_kafkabrokers:
+  address: "1.1.1.1:9092,2.2.2.2:9092"
+
+log_minio:
+  address: "192.168.40.168;"
+  port: 9090
+
+#########################################
+#Log Level Config
+#日志等级 10:DEBUG 20:INFO 30:FATAL
+fw_ftp_log_level: 10
+fw_mail_log_level: 10
+fw_http_log_level: 10
+fw_dns_log_level: 10
+fw_quic_log_level: 10
+capture_packet_log_level: 10
+tsg_log_level: 10
+tsg_master_log_level: 10
+kni_log_level: 10
+
+
+#日志等级 DEBUG INFO FATAL
+tfe_log_level: DEBUG
+tfe_http_log_level: DEBUG
+pangu_log_level: DEBUG
+doh_log_level: DEBUG
+
+certstore_log_level: 10
+packet_dump_log_level: 10
+
+#########################################
+#Sapp Performance Config
+#如果tsg_access_type=0，sapp跑在pcap模式，则以下配置可忽略
+sapp:
+  worker_threads: 23
+  send_only_threads_max: 1
+  bind_mask: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
+  inbound_route_dir: 1
+
+#########################################
+#Sapp Double-Arm Config
+packet_io:
+  internal_interface: eth2
+  external_interface: eth3
+
+
+#########################################
+#Kni Config
+kni:
+  global:
+    tfe_node_count: 1
+  watch_dog:
+    switch: 1
+  maat:
+    readconf_mode: 2
+  send_logger:
+    switch: 1
+  tfe_nodes:
+    tfe0_enabled: 1
+    tfe1_enabled: 0
+    tfe2_enabled: 0
+
+#########################################
+#Tfe Config
+tfe:
+  nr_threads: 32
+  mirror_enable: 1
+
+#########################################
+#Marsio Config
+mrzcpd:
+  iocore: 39
+
+mrtunnat:
+  lcore_id: 38
+
+#########################################
+#Tsg_app
+tsg_app_enable: 1
+app_global_ip: "1.1.1.1"
+applog_level: 10
+app_master_log_level: 10
+app_sketch_local_log_level: 10
+app_control_plug_log_level: 10
+
+#########################################
+#ATCA Config
+#下列配置只在tsg_access_type=4时生效
+ATCA_data_incoming:
+  ethname: enp1s0
+  vf0_name: enp1s2
+  vf1_name: enp1s2f1
+  vf2_name: enp1s2f2
+
+ATCA_VlanFlipping:
+  vlanID_1: 100
+  vlanID_2: 101
+  vlanID_3: 103
+  vlanID_4: 104
+
+#下列配置只在tsg_access_type=5时生效
+ATCA_VXLAN:
+  keepalive_ip: "10.254.19.1"
+  keepalive_mask: "255.255.255.252"
+
+#########################################
+#Inline Device Config
+inline_device_config:
+  keepalive_ip: 192.168.1.30
+  keepalive_mask: 255.255.255.252
+  data_incoming: eth5
--- a/Almaty_install_config/hosts
+++ b/Almaty_install_config/hosts
@@ -0,0 +1,47 @@
+###################
+#   For example   #
+###################
+#变量device_id根据设备序号设置即可
+#变量vvipv4_1、vvipv4_2、vvipv6_1、vvipv6_2为Allot相关配置，其他环境可不填或直接删除变量
+#
+#20.09版本新增APP部署
+#[app_global]
+#0.0.0.0
+
+#[server-as-tun-mode]
+#1.1.1.1 device_id=device_1
+#
+#[adc_mxn]
+#10.3.72.1
+#10.3.72.2
+#
+#[adc_mcn0]
+#10.3.73.1 device_id=device_1 vvipv4_1=10.3.61.1 vvipv4_2=10.3.62.1 vvipv6_1=fc00::61:1 vvipv6_2=fc00::62:1
+#10.3.73.2 device_id=device_2 vvipv4_1=10.3.61.2 vvipv4_2=10.3.62.2 vvipv6_1=fc00::61:2 vvipv6_2=fc00::62:2
+#
+#[adc_mcn1]
+#10.3.74.1 device_id=device_1
+#10.3.74.2 device_id=device_2
+#
+#[adc_mcn2]
+#10.3.75.1 device_id=device_1
+#10.3.75.2 device_id=device_2
+#
+#[adc_mcn3]
+#10.3.76.1 device_id=device_1
+#10.3.76.2 device_id=device_2
+
+#[app_global]
+#[server-as-tun-mode]
+#p
+#[adc_mxn]
+[adc_mcn0]
+10.3.51.1
+[adc_mcn1]
+10.3.52.1
+[adc_mcn2]
+10.3.53.1
+[adc_mcn3]
+10.3.54.1
+[packet_dump_server]
+10.3.61.10
--- a/NurSultan_deploy.yml
+++ b/NurSultan_deploy.yml
@@ -9,8 +9,6 @@
    - NurSultan_install_config/group_vars/adc_global.yml
  roles:
    - framework
-    #- kernel-ml
-    - telegraf_collect

 - hosts: packet_dump_server
  remote_user: root
@@ -31,6 +29,7 @@
    - NurSultan_install_config/group_vars/adc_mcn0.yml
  roles:
 #    - tsg-env-mcn0
+    - telegraf_collect
    - kernel-ml
    - mrzcpd
    - sapp
@@ -52,6 +51,7 @@
    - NurSultan_install_config/group_vars/adc_mcn1.yml
  roles:
 #    - tsg-env-mcn1
+    - telegraf_collect
    - kernel-ml
    - mrzcpd
    - tfe
@@ -63,6 +63,7 @@
    - NurSultan_install_config/group_vars/adc_mcn2.yml
  roles:
 #    - tsg-env-mcn2
+    - telegraf_collect
    - kernel-ml
    - mrzcpd
    - tfe
@@ -73,10 +74,11 @@
    - NurSultan_install_config/group_vars/adc_global.yml
    - NurSultan_install_config/group_vars/adc_mcn3.yml
  roles:
+    - kernel-ml
 #    - tsg-env-mcn3
+    - telegraf_collect
    - redis
    - maat-redis
-    - kernel-ml
    - mrzcpd
    - tfe

--- a/NurSultan_install_config/group_vars/adc_global.yml
+++ b/NurSultan_install_config/group_vars/adc_global.yml
@@ -115,7 +115,7 @@ app_sketch_local_log_level: 10
 app_control_plug_log_level: 10


-breakpad_upload_url: http://127.0.0.1/
+breakpad_upload_url: http://10.4.63.4:9000/api/2/minidump/?sentry_key=3556bac347c74585a994eb6823faf5c6

 data_center: Nur-sultan
 tsg_master_entrance_id: 4
--- a/roles/certstore/templates/cert_store.ini.j2
+++ b/roles/certstore/templates/cert_store.ini.j2
@@ -7,7 +7,7 @@ RUN_LOG_PATH = "conf/zlog.conf"
 disable_coredump=0
 enable_breakpad=1
 breakpad_minidump_dir=/tmp/certstore/crashreport
-enable_breakpad_upload=0
+enable_breakpad_upload=1
 breakpad_upload_url= {{ breakpad_upload_url }}

 [CONFIG]
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@@ -40,6 +40,12 @@
    dest: /home/mesasoft/sapp_run/tsgconf/maat.conf
  tags: template

+- name: "Template the tsgconf/tsg_log_field.conf"
+  template:
+    src: "{{ role_path }}/templates/tsg_log_field.conf.j2"
+    dest: /home/mesasoft/sapp_run/tsgconf/tsg_log_field.conf
+  tags: template
+
 - name: "Template the conf/capture_packet_plug.conf.j2"
  template:
    src: "{{ role_path }}/templates/capture_packet_plug.conf.j2"
--- a/roles/firewall/templates/tsg_log_field.conf.j2
+++ b/roles/firewall/templates/tsg_log_field.conf.j2
@@ -0,0 +1,52 @@
+#TYPE：1:UCHAR,2:USHORT,3:ULONG,4:ULOG,5:USTRING,6:FILE,7:UBASE64,8:PACKET
+#TYPE	TOPIC	SERVICE
+TOPIC	SECURITY-EVENT-LOG	0
+TOPIC	CONNECTION-RECORD-LOG	1
+TOPIC	CONNECTION-SKETCH	2
+
+#TYPE		FIELD		VALUE
+LONG   		common_policy_id	1
+LONG   		common_service		2
+LONG   		common_action		3
+LONG   		common_start_time	4
+LONG   		common_end_time		5
+STRING		common_l4_protocol	6
+LONG   		common_address_type	7
+STRING		common_server_ip	8
+STRING		common_client_ip	9
+LONG   		common_server_port	10
+LONG   		common_client_port	11
+LONG   		common_stream_dir	12
+STRING		common_address_list	13
+LONG   		common_entrance_id	14	
+LONG   		common_device_id	15	
+LONG   		common_link_id		16	
+STRING		common_isp		17	
+LONG   		common_encapsulation	18	
+LONG   		common_direction	19	
+STRING		common_sled_ip		20	
+STRING		common_user_tags	21
+STRING		common_user_region	22
+STRING		common_app_label	23
+LONG		common_app_id		24
+LONG		common_protocol_id	25
+LONG		common_c2s_pkt_num	26
+LONG		common_s2c_pkt_num	27
+LONG		common_c2s_byte_num	28
+LONG		common_s2c_byte_num	29	
+LONG		common_con_duration_ms	30
+LONG		common_has_dup_traffic	31
+STRING		common_stream_error	32
+STRING		common_stream_trace_id	33
+STRING		common_schema_type	34
+STRING		http_host		35
+STRING		ssl_sni			36
+LONG		common_establish_latency_ms	37
+STRING		common_sub_action		38
+STRING		common_client_asn	39
+STRING		common_server_asn	40
+STRING		common_client_location	41
+STRING		common_server_location	42
+STRING		quic_sni			43
+STRING		ssl_ja3_fingerprint		44
+STRING		common_data_center	45
--- a/roles/packet_dump/tasks/main.yml
+++ b/roles/packet_dump/tasks/main.yml
@@ -26,3 +26,9 @@
    name: packet_dump.service
    enabled: yes
    daemon_reload: yes
+
+- name: "enable httpd"
+  systemd:
+    name: httpd
+    enabled: yes
+    daemon_reload: yes
--- a/roles/tfe/files/tfe-4.3.15.99731ae-1.el7.x86_64.rpm
+++ b/roles/tfe/files/tfe-4.3.15.99731ae-1.el7.x86_64.rpm
--- a/roles/tfe/tasks/main.yml
+++ b/roles/tfe/tasks/main.yml
@@ -14,7 +14,7 @@
  yum:
    name:
      - /tmp/ansible_deploy/tfe-kmod-v1.0.5.20200408-1dkms.noarch.rpm
-      - /tmp/ansible_deploy/tfe-4.3.14.13d2607-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/tfe-4.3.15.99731ae-1.el7.x86_64.rpm
    state: present

 - name: "template tfe-env config"